linux-ipsec: KLIPS <=> CISCO IOS IPSEC interoperability

Hi,

I've successfully tested interoperation of KLIPS IPSEC (freeswan 0.91, redhat 5.2, kernel 2.0.36) against Cisco IOS IPSEC 11.3(7)T, using ipsec manual to initialize SA's on freeswan, and manual preshared ipsec keying (static config of secrets for all algorithms) on both ends . Algorithms used were ESP tunnel mode, des encryption with md5 or sha auth. I can see no reason why it won't work with 3des on the router, and I should be able to get my hands on this soon.

I did a little bit of performance testing between the subnets under configuration 1).
The test was choked by virtue of a 128kbit circuit being present in the public ip network portion of the test,
also a little unfair in that the 2501 is a pretty low-end non-vpn-suited box, but anyway:

Layer 3 throughput rate on _public_ net : approx 123kbit Linux freeswan box, P166 : running around 3% utilisation. Cisco router, 2501 : running at 66% utilisation (almost entirely due to the crypto).
Application layer throughput rate approx : 115kbit.

At present pluto will still not talk to cisco's iskamp (at least not to the point where they get IPSEC SA's up :-), but I've not tried the recent pluto build that I've just seen mail from hugh about.

Attached are the config details (router and freeswan) for the manual configuration, please feel free to use/abuse/include these if considered relevant to the project.

Cheers,
Ian

--
Ian Calderbank, ianc@uk.uu.net
Network Engineering, UUNET UK

Configuration 1, subnet-subnet. =============================== rfc1918 subnet =>linux freeswan-----public internet------cisco router<= (different)rfc1918 subnet freeswan ipsec-manual file ------------------------- ipsec subnet-subnet-manual-tunnel type=tunnel left=x.x.x.x
#linux box public ip address
leftsubnet=192.168.100.0/24 right=y.y.y.y
#router public ip address
rightsubnet=192.168.2.0/24 spibase=0x200
# router to linux spi 0x202(514)
leftespspi=0x202 leftespenckey=0x3f443296_2b200d51 leftespauthkey=0xc6de745b_bf23d01a_67eb4c13_25f3b22f
# linux to router spi 0x201(513)
rightespspi=0x201 rightespenckey=0x2b200d51_69f2a670 rightespauthkey=0x67eb4c13_25f3b22f_c6de745b_bf23d01a esp=des-md5-96 espiv=0xaf08ecbf_76b6e486 ------------------------ Relevant bits of ios router configuration: crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto map TEST 1 ipsec-manual set peer x.x.x.x ! linux box public ip address set security-association inbound esp 513 cipher 2b200d5169f2a670 authenticator 67eb4c1325f3b22fc6de745bbf23d01a set security-association outbound esp 514 cipher 3f4432962b200d51 authenticator c6de745bbf23d01a67eb4c1325f3b22f set transform-set des-md5 match address 102 access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255 interface <the public interface> crypto map TEST ------------------------- IPSEC protected traffic flows without any apparent problems between the two rfc1918 subnets. Configuration 2) =============== linux freeswan---public internet----cisco router <= rfc1918 subnet freeswan ipsec-manual file ------------------------- ipsec host-subnet-manual-tunnel type=tunnel left=x.x.x.x
#linux box public ip address
right=y.y.y.y
#router public ip address
rightsubnet=192.168.2.0/24 spibase=0x300
# router to linux spi 0x302(770)
leftespspi=0x302 leftespenckey=0x3f443296_2b200d51 leftespauthkey=0xc6de745b_bf23d01a_67eb4c13_25f3b22f_7bce4c50
# linux to router spi 0x301(769)
rightespspi=0x301 rightespenckey=0x76af5bbf_b7c420ad rightespauthkey=0xf43fb4d6_41e86aac_af5883df_61bbd071_bd21b799 esp=des-sha1-96 espiv=0x6c406b86_20318030 ------------------------------- Relevant bits of ios router configuration: crypto ipsec transform-set des-sha esp-des esp-sha-hmac crypto map TEST 1 ipsec-manual set peer x.x.x.x ! linux box public ip address set security-association inbound esp 769 cipher 76af5bbfb7c420ad authenticator f43fb4d641e86aacaf5883df61bbd071bd21b799 set security-association outbound esp 770 cipher 3f4432962b200d51 authenticator c6de745bbf23d01a67eb4c1325f3b22f7bce4c50 set transform-set des-sha match address 111 access-list 111 permit ip 192.168.2.0 0.0.0.255 host x.x.x.x (linux public ip address) interface <the public interface> crypto map TEST ----------------------------- Again, ipsec traffic flows without any apparent problems between the host and the rfc1918 subnet. Received on Wed Jan 27 11:24:30 1999

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek